Darren Reed <darrenr%netbsd.org@localhost> writes: > The man page for setkey seems to suggest that there is a priority > mechanism that would allow me to create a "none" SPD for ssh > packets but setkey on NetBSD doesn't support this. If I understand > correctly, if it was present then I would do something like this: > > spdadd A.B.C.D/32 E.F.G.0/24 any -P in priority low ipsec > esp/tunnel/A.B.C.D-E.F.G.H/require; > spdadd E.F.G.0/24 A.B.C.D/32 any -P out priority low ipsec > esp/tunnel/E.F.G.H-A.B.C.D/require; > spdadd A.B.C.D/32[22] E.F.G.0/24[any] tcp -P in priority high none; > spdadd E.F.G.0/24[any] A.B.C.D/32[22] tcp -P out priority high none; I have only skimmed this rather huge (and surprisingly contentious) thread. Two points about your policies: They have to match on both ends, inversely. I believe it's first match, not last match. I am unaware of NetBSD supporting priority on policies, and I haven't read the recent specs, but I wasn't aware of that being in the RFCs (although it's arguably a local matter). To debug this, besides tcpdump, use netstat -p before and after trying, to see which counters are going up. So basically, put the ssh rules first, and then the generic rules. It's still mysterious why ssh owuld fail with a working tunnel. (That you want ssh excluded so you can use it to fix the other side of tunnels is understandable.)
Attachment:
pgpLIiK4Uf2Xe.pgp
Description: PGP signature